Running a vastool create command as an AD user fails with the following:
ERROR: Failed to create user <username>
VAS_ERR_FAILURE: Unspecified failure
Could not set password
VAS_ERR_ACCESS: Access denied
<username>@<domain> does not have permission to set the password for user2@domain. The account may be locked.
KPASSWD_ACCESSDENIED: Access denied
This can be caused when the account that was granted permissions to set password for objects was delegated rights by a domain local security group.
Product Defect #424350
Fix: Upgrade to version 126.96.36.19931 of Authentication Services or above.
Workaround: Set the domain local group to be a universal group.